Level 75
I normally put secure files somewhere else in the file system nowhere web related.
Then I have some digits in the file name that has to match the authenticated users ID.
Jan 10, 2021
15
Level 11
How to protect assets
I am using a digital ocean spaces account which I believe has the same api as S3. I am wondering how I can protect the files from public download. I have some large 2 gig or more zip files I will need to protect. I will want the user to be able to download them from the website.
This is example code I use to store the file
$path=$s3->put('/albums', request()->file, 'public');
Level 11
@jlrdw that might would work but I am behind load balancers, and if I need to be able to stream a video from spaces there seems to be no way to lock it to my particular domain. Meaning anyone with the link can download it.
Level 75
Level 80
@loach You don’t want to take the “security by obscurity” suggestion. Instead, implement proper authorisation.
S3 allows you to choose the “visibility” of the a file when uploading. A file can either be public (accessible via a URL) or private. Looking at Digital Ocean Spaces’ documentation, it seems to be pretty compatible with S3’s API, so you’ll need to store files with a private ACL when uploading to Spaces.
Upload an Object (PUT) (set the x-amz-acl parameter to private)
When a user wants to download a file, you’ll need to first check if they’re allowed to access the file. This logic belongs in your application. If the user is permitted to access the file, then you should create a pre-signed URL that’s only valid for a predefined length of time. The user should use this URL to access their file. Your application can simply redirect to this URL.
1 like
Level 11
@martinbean If I use the following code it puts the file as private so that part is taken care of.
$path=$s3->put('/albums', request()->file);
I am not sure about the presigned URL stuff do you have any links to tutorials etc?
Level 11
Oh the presigned url stuff is bulit into laravel. Thanks I will take a look into it.
Level 11
@martinbean Is this what you mean?
Storage::temporaryUrl()
Level 80
@loach Yeah, that’s what you’d need :)
1 like
Level 11
@martinbean What if I have a collection that has the filenames? The reason I am asking is because it will be a vue file that shows images I cannot call that method from vue. Or does it not work this way.
$album = Album::find($id)-with('images')->get();
The 'images' collection has the file url.
Level 80
@loach You’ll need an API endpoint that serves the pre-signed URLs to your Vue component. So query the images for the album, and then create pre-signed URLs for each one so that your front-end can reference and display them. You might want to use an API Resource class for that.
Level 11
@martinbean I am using the web API for now but you have me an idea. I think I could use the Models accessor.
Level 75
Just my opinion, I like @Sinnbeck approach for private files. That way you can make sure the authenticated logged-in user is the one downloading. I just take his approach one step further and use ID as part of the image name, and verify that it matches before any download can take place.
But there are two or three good techniques. But either technique mentioned is secure. I don't know where the obscurity thing came from, as that is not a way to secure private images.
But I would say for private files do not put in storage put in a stray folder somewhere on the disk.
Somewhere that is no way web accessible serve them through a response (script) that has been authenticated.
To add, of course if digitalocean has secure file capability, yes use it but test and make sure you've done it correctly.
A script that has to be authenticated with an ID that matches also is secure.
Level 39
Hi All, @jlrdw @loach @martinbean @sinnbeck
I read last msg from @jlrdw but see no msg from @sinnbeck !
That said, during the last weeks (I'm on this site for less than 2 months) I saw regularly msgs of you @sinnbeck but since some days none, did you post during these days, if yes, I saw no msg from you ...
Level 75
Level 39
Please or to participate in this conversation.